[wp-hackers] Critical WP Flaw?

Jamie Holly hovercrafter at earthlink.net
Thu Jul 27 13:12:55 GMT 2006


> Saying so here won't make much of a dent in changing that. I've never
> heard of current_user_can(), either, along with, apparently, a lot of
> other plugin devs. This would lead me to believe there is a failure in
> documentation which should probably also be addressed along with this
> security vulnerability, if this is so important.

>If you're relying on the cap/level check provided when you register a 
>menu/submenu, that will cover most plugins.  There is indeed a bug in 
>2.0.3 that breaks this check in some cases.  2.0.4 beta fixes this.  If 
>you don't register a menu and don't do a level or cap check, your plugin 
>is vulnerable.

>Personally, I never really meant the menu cap check to be relied upon 
>quite so heavily.  It was offered as a convenience thing for simple 
>plugins. I use current_user_can() in my plugins.

>current_user_can() is the heart of the capability system.

>http://codex.wordpress.org/Roles_and_Capabilities

>Looks like we need to do a better job of documenting with regard to 
>plugin development.

>Ryan

I couldn't agree more. It took me some time before I really found out about
the current_user_can() and once I found it life was much easier. The role
capabilities plugin makes using this feature extra nice. I would almost like
to see some sort of role manager placed into the WP core and even more roles
added (like a can_moderate_comments). 

The user roles and capabilities should be used in all plugins requiring
access checks, but I got a feeling many people either a) don't know about it
or b) shy away because you need a plugin to really set user capabilities.

Jamie Holly
http://www.intoxination.net

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Ryan Boren
Sent: Thursday, July 27, 2006 6:04 AM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Critical WP Flaw?


_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 7/26/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 7/26/2006
 



More information about the wp-hackers mailing list